On Thu, Apr 16, 2020 at 11:56 PM Michel Alexandre Salim <michel@xxxxxxxxxxxxxxx> wrote: > > Apr 16, 2020 18:02:33 Demi M. Obenour <demiobenour@xxxxxxxxx>: > > > > > Finally, some packages should have all updates considered as security updates. This includes anything based on a web browser (Firefox, Thunderbird, SeaMonkey, Chromium, webkit2gtk, etc), as well the Linux kernel itself. Virtually every update of these packages fixes security vulnerabilities, so updates to them should be considered security updates and treated as such. > > For kernel updates this is probably not a good idea. Given that updates potentially introduce regressions, being able to distinguish updates with known CVEs that we do need to roll out immediately, versus other updates we can do more compatibility testing on, is critical. > Kernel is an area where a majority of updates do contain CVE fixes, but we are also keenly aware of the real security impacts of these issues. The vast majority of CVEs are of little interest to our users. Those that are truly critical get pushed out very quickly. It tends to happen maybe 2 or 3 times per year. Here is my process for when that happens. 1. Do a build, alert releng that this critical update is in process as I start. 2. Initial testing 3. File update 4. Ping releng and get a special push of updates-testing 5. Call for testers on IRC 6. When we have had a few testers, contact releng to get a special push to stable. This can all happen within a matter of hours (kernels take 3 hours just to build if everything goes well). Often it means someone in releng is staying up late to help me deal with it, and it is greatly appreciated. But the system is not abused, it only happens on critical updates. A majority of CVEs are *not* critical updates. It is important they are patched for a variety of reasons, but the risk of going a day or 2 without a patch is approaching zero. There are a lot of security researchers more concerned with getting CVEs credited to their name rather than whether or not a CVE is really a valid exploit path. Things like privileged users being able to cause a DoS are really not treated any differently than a normal bug, even if they have a CVE attached. Not all CVEs are created equal. Justin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
